updating csp and test

app/__init__.py

@@ -141,9 +141,8 @@ navigation = {
 def _csp(config):
     asset_domain = config["ASSET_DOMAIN"]
     logo_domain = config["LOGO_CDN_DOMAIN"]
-    api_public_url = config["API_PUBLIC_URL"]
 
-    csp = {
+    return {
         "default-src": ["'self'", asset_domain],
         "frame-src": [
             "https://www.youtube.com",
@@ -167,22 +166,19 @@ def _csp(config):
             "'self'",
             "https://gov-bam.nr-data.net",
             "https://www.google-analytics.com",
+            "http://localhost:6011",
+            "ws://localhost:6011",
+            "https://notify-api-staging.app.cloud.gov",
+            "wss://notify-api-staging.app.cloud.gov",
+            "https://notify-api-demo.app.cloud.gov",
+            "wss://notify-api-demo.app.cloud.gov",
+            "https://notify-api-production.app.cloud.gov",
+            "wss://notify-api-production.app.cloud.gov",
         ],
         "style-src": ["'self'", asset_domain],
         "img-src": ["'self'", asset_domain, logo_domain],
     }
 
-    if api_public_url:
-        csp["connect-src"].append(api_public_url)
-        # this is for web socket
-        if api_public_url.startswith("http://"):
-            ws_url = api_public_url.replace("http://", "ws://")
-            csp["connect-src"].append(ws_url)
-        elif api_public_url.startswith("https://"):
-            ws_url = api_public_url.replace("https://", "wss://")
-            csp["connect-src"].append(ws_url)
-    return csp
-
 
 def create_app(application):
     @application.after_request

app/config.py

@@ -134,7 +134,6 @@ class Test(Development):
     ASSET_PATH = "https://static.example.com/"
 
     API_HOST_NAME = "http://you-forgot-to-mock-an-api-call-to"
-    API_PUBLIC_URL = "http://you-forgot-to-mock-an-api-call-to"
 
     REDIS_URL = "redis://you-forgot-to-mock-a-redis-call-to"
     LOGO_CDN_DOMAIN = "static-logos.test.com"

tests/app/main/views/test_headers.py

@@ -27,21 +27,12 @@ def test_owasp_useful_headers_set(
         csp,
     )
     assert search(r"'nonce-[^']+';", csp)
-    assert search(
-        r"connect-src 'self' https:\/\/gov-bam\.nr-data\.net https:\/\/www\.google-analytics\.",
-        csp,
-    )
+    assert search(r"connect-src", csp)
+    assert search(r"https:\/\/gov-bam\.nr-data\.net", csp)
+    assert search(r"https:\/\/www\.google-analytics\.com", csp)
+    assert search(r"http:\/\/localhost:6011", csp)
+    assert search(r"ws:\/\/localhost:6011", csp)
+    assert search(r"https:\/\/notify-api-.*\.app\.cloud\.gov", csp)
+    assert search(r"wss:\/\/notify-api-.*\.app\.cloud\.gov", csp)
     assert search(r"style-src 'self' static\.example\.com 'nonce-.*';", csp)
     assert search(r"img-src 'self' static\.example\.com static-logos\.test\.com", csp)
-    api_public_url = current_app.config.get("API_PUBLIC_URL")
-    assert api_public_url is not None, f"API_PUBLIC_URL: {api_public_url} — is missing"
-
-    assert api_public_url in csp
-    if api_public_url.startswith("http://"):
-        assert api_public_url.replace("http://", "ws://") in csp
-    elif api_public_url.startswith("https://"):
-        assert api_public_url.replace("https://", "wss://") in csp
-    else:
-        raise AssertionError(
-            f"Unexpected API_PUBLIC_URL format: {api_public_url} — must start with 'http://' or 'https://'"
-        )